Comments on: Gumblar .cn Exploit – 12 Facts About This Injected Script

By: FK

FK — Wed, 29 Dec 2010 02:53:28 +0000

Just to add some info.

Our clients sites, got inject, more than 200 sites, we have recovered all the sites, and seems to only have affect the index files, or at least the files that have common names.

We are still checking the wp sites but these seem more affected.

Still haven´t found the computer that originated the FTP “hole”, as many of the sites are not on more recent ftp softwares. But lesson learn don´t store passwords on the softwares.

By: Virus Removal

Virus Removal — Tue, 25 May 2010 08:51:27 +0000

Hey, hopefully someone can make use of this 

If you are having issues running virus scanners whilst your computer is turned on, try to start into ‘Safe Mode’.

If you’re using a version of Windows, you’ll be able to do this. (Windows XP, Windows Vista & Windows 7)

Safe Mode:
Turn computer off
Turn computer on whilst tapping F8. When prompted select ’safe mode with networking’
When prompted, click Yes & start into Windows as normal.

By: MMO-Champion got hacked - WoW-Raiders

MMO-Champion got hacked - WoW-Raiders — Sat, 22 May 2010 10:41:15 +0000

[...] details For more details about Gumblar, see this Wikipedia article or this Unmask Parasites article. For a technical summary of Gumblar, there’s a nice article on iss.net about it. [...]

By: Denis

Denis — Sun, 04 Apr 2010 14:27:01 +0000

Hi,

1. The linked article is not about Gumblar. It describes a different infection (this one)

2. Use the script at you own risk. The scripts used by this infection mutate every day and that removal script may not detect the new modifications (at best) or even corrupt your data (in worst case).

3. You don’t need any removal scripts at all if you have a clean backup. Just remove everything and then restore the site from that backup.

By: digitalpbk

digitalpbk — Wed, 31 Mar 2010 13:29:27 +0000

Hi i have made this script to remove all scripts on server using PERL. See the script @ Remove Gumblar Virus

By: Securing FTP Access on a cPanel Server :: The cPanel Admin

Securing FTP Access on a cPanel Server :: The cPanel Admin — Thu, 11 Feb 2010 17:53:13 +0000

[...] with viruses like Gumblar stealing FTP passwords and farming them out to hackers so they can upload malicious code into user files. What you end up with is a flood of complaints from users about errors on their [...]

By: Top 10 Malware Sites | Decentralization Station | Power of the cloud

Top 10 Malware Sites | Decentralization Station | Power of the cloud — Wed, 06 Jan 2010 12:35:11 +0000

[...] malware researchers reported widespread compromises pointing to the domains gumblar.cn and martuz.cn, both of which made it on [...]

By: Malicious Javascript Code infected my blogs - Ryan Isra, Cyberworld, Technology

Malicious Javascript Code infected my blogs - Ryan Isra, Cyberworld, Technology — Wed, 30 Dec 2009 19:44:19 +0000

[...] its name is Gumblar. You can find further information about Gumblar on Unmask Parasites Blog, Wikipedia, or ISS.net. I got alot of useful information. However, I might be infected by its [...]

By: Markusk

Markusk — Wed, 16 Dec 2009 22:14:28 +0000

If you know the date of the infection, you can easily check all files that were edited on that day.

btw, I noticed, it replaced a file called home.inc, so it probably also targets all files containing “home” in the name, additionally to “index”, “default”, etc and ALL .js files.

By: ugg outlet

ugg outlet — Sun, 13 Dec 2009 12:49:42 +0000

Make sure to check the folders “error_docs” and “httpsdocs” on your webserver!!!

The malicious code can also be found in these locations – therefore the infection will not be cured if you just upload a clean backup version of your website from a clean system unless you sanitize those locations too.